Org Scoring Approaches in Secure

This article discusses how an organization would define a scoring policy and which scoring approach to use when securing their data.

Define a Policy

• First fine tune a scoring policy in a full sandbox environment.
• Import the scoring policy into a production environment using the Secure Policy Migration Wizard.

Scoring Approach

• Run at 100
  • Goal(s) 
    • Scores should equal 100% across lenses, unless something new has been introduced and decreases the lens score(s).
  • Benefits
    • It is very easy to detect when something risky has been introduced to the Org.  
    • Lens score alerts provide valuable proactive notifications and should justify periodic SI job runs.
    • Collaboration on scoring configuration between InfoSec & Salesforce COE better informs both parties on what the ideal configuration looks like.
  • Downsides
    • More time is spent on exclusions and discussions in the beginning.
    • More setup work is required.
  • Configuration Guidelines
    • Set “Max” thresholds at 0 in most cases.
    • Leverage exclusions for accepted risks (e.g. 5 Insecure Remote Site Settings).
    • Ensure risk ratings reflect how the Customer feels about the risk of the information in an insight.
• Reflect Residual Risk
  • Goal(s)
    • Org scores reflect the actual risk of the Org.
    • There are few, if any, exclusions or accepted risks.
  • Benefit(s)
    • The Org does not obtain a false sense of security from all SI lens scores = 100%.
    • Vulnerabilities are clearer and accurately influence investment decisions.
    • Easier initial setup.
  • Downsides
    • Can be more difficult to immediately identify that something risky has been introduced to the Org. Lens score alerts and Action Plans can alleviate this.
    • Goes against human nature which desires 100% scores.
  • Configuration Guidelines
    • Utilize Max values above 0 more often and more limited use of exclusions.
    • For example, users without IP Restrictions are never implemented and are not practical. Two admins have profile-based IP restrictions while no one else does. Set Max > 0. Score will be < 1%, as it should be, to represent the risk of the scenario. The only way to achieve 100% is to set Max to 0 and Exclude both admins with IP Restrictions.